{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69331", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:18.800Z", "datePublished": "2026-01-06T16:36:38.222Z", "dateUpdated": "2026-04-28T20:53:28.628Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "theatre", "product": "Theater for WordPress", "vendor": "Jeroen Schmit", "versions": [{"changes": [{"at": "0.19.1", "status": "unaffected"}], "lessThanOrEqual": "0.19", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Arif Shaikh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:44.654Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Theater for WordPress: from n/a through <= 0.19.</p>"}], "value": "Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.19."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.677Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/theatre/vulnerability/wordpress-theater-for-wordpress-plugin-0-19-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Theater for WordPress plugin <= 0.19 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T16:52:32.959720Z", "id": "CVE-2025-69331", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:53:28.628Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69331", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T16:52:32.959720Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T16:52:45.934Z"}}], "cna": {"title": "WordPress Theater for WordPress plugin <= 0.19 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Arif Shaikh | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Jeroen Schmit", "product": "Theater for WordPress", "versions": [{"status": "affected", "changes": [{"at": "0.19.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "0.19"}], "packageName": "theatre", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:44.654Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/theatre/vulnerability/wordpress-theater-for-wordpress-plugin-0-19-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.19.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Theater for WordPress: from n/a through <= 0.19.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:17.219Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69331", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:17.219Z", "dateReserved": "2025-12-31T20:12:18.800Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-06T16:36:38.222Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.19."}], "id": "CVE-2025-69331", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-06T17:15:45.983", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/theatre/vulnerability/wordpress-theater-for-wordpress-plugin-0-19-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:58:45.382982+00:00", "value": {"mitigation_remediation": ["Upgrade the Theater for WordPress plugin to the latest release that addresses the missing authorization check.", "If an upgrade is not currently available, remove or deactivate the plugin to eliminate the risk.", "Enforce strict role\u2011based access controls for all plugin interfaces, ensuring only users with administrator privileges can perform privileged actions."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The Theater for WordPress plugin, version 0.19 and earlier, developed by Jeroen Schmit. This plugin is available for WordPress installations.", "description_and_impact": "Missing authorization in the Theater for WordPress plugin allows a user with insufficient privileges to access functions reserved for administrators, exposing the site to unauthorized configuration changes or content manipulation.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in CISA KEV. The attack vector is likely remote via the web interface, where an authenticated user or potentially a public user could invoke the plugin\u2019s unchecked actions, enabling privilege escalation within the WordPress environment."}}}}, "created": "2026-01-07T10:08:50.270833+00:00", "updated": "2026-04-27T22:00:16.563470+00:00", "vendors": ["jeroen_schmit", "jeroen_schmit$PRODUCT$theater_for_wordpress", "wordpress", "wordpress$PRODUCT$wordpress"]}